EP2253120A1 - Re-establishment of a security association - Google Patents

Re-establishment of a security association

Info

Publication number
EP2253120A1
EP2253120A1 EP08724217A EP08724217A EP2253120A1 EP 2253120 A1 EP2253120 A1 EP 2253120A1 EP 08724217 A EP08724217 A EP 08724217A EP 08724217 A EP08724217 A EP 08724217A EP 2253120 A1 EP2253120 A1 EP 2253120A1
Authority
EP
European Patent Office
Prior art keywords
access router
address
host
request
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP08724217A
Other languages
German (de)
French (fr)
Other versions
EP2253120A4 (en
EP2253120B1 (en
Inventor
Wassim Haddad
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson AB filed Critical Telefonaktiebolaget LM Ericsson AB
Publication of EP2253120A1 publication Critical patent/EP2253120A1/en
Publication of EP2253120A4 publication Critical patent/EP2253120A4/en
Application granted granted Critical
Publication of EP2253120B1 publication Critical patent/EP2253120B1/en
Not-in-force legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0414Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden during transmission, i.e. party's identity is protected against eavesdropping, e.g. by using temporary identifiers, but is known to the other party or parties involved in the communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/047Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
    • H04W12/0471Key exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0019Control or signalling for completing the hand-off for data sessions of end-to-end connection adapted for mobile IP [MIP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/20Manipulation of established connections
    • H04W76/22Manipulation of transport tunnels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer
    • H04W8/082Mobility data transfer for traffic bypassing of mobility servers, e.g. location registers, home PLMNs or home agents
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer
    • H04W8/16Mobility data transfer selectively restricting mobility data tracking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]

Definitions

  • the invention relates to IP mobility and is applicable in particular to maintaining privacy in respect of traffic involving one or more mobile nodes.
  • Mobile IP which is described in IETF RFC 3775, allows users of mobile communications devices to move from one network to another whilst maintaining a permanent IP address, regardless of which network they are in. This allows a user to maintain connections whilst on the move. For example, if a Mobile Node (MN) were participating in a Voice Over IP (VoIP) session with a Correspondent Node (CN), which might be fixed or mobile, and, during the session the MN moved from one network to another, without MIP support the MN's IP address may change. This would lead to problems with the VoIP session. Mobile IP relies upon the provision, within a MN's home network, of a Home Agent (HA).
  • HA Home Agent
  • the MN is allocated a Home Address (HoA) within the home network, as well as a C are-of- Address (CoA) within a visited network. Packets exchanged between MN and the CN are tunnelled between the HA and the MN using the CoA as source/destination address.
  • HoA Home Address
  • CoA -of- Address
  • RO Route Optimisation
  • Mobility Support in IPv6 (IETF RFC3775 June 2004) describes a RO procedure for messages sent to the MN from a CN. This approach requires (for each location update) that a pair or reachability tests be performed between the MN and the CN.
  • a first test (HoTI/HoT) ensures reachability of the MN at the HoA
  • a second (CoTI/CoT) ensures reachability of the MN at the CoA.
  • the HoT and CoT messages each contain a token, with the tokens being combined at the MN to generate a secret (shared with the CN).
  • a subsequent Binding Update (BU) and Binding Acknowledgement are signed with the shared key.
  • RO requires that both the CoA and HoA reachability tests be repeated at regular intervals, e.g. typically every 7 minutes, in order to limit the damage that can be caused by a time shifting attack in which a MN moves to a new network but does not update the CN, resulting in flooding of the old network.
  • IP packet streams It is desirable to introduce a degree of anonymity and unlinkability into IP packet streams to prevent the tracking of movements of mobile nodes within and between access networks whilst at the same time defending against flooding and related attacks, but to do this efficiently and securely in terms of the set-up signalling involved and the provisioning of mobility. Also it is equally desirable to relieve the mobile node from having to exchange any mobility signalling directly with the corresponding node, as well as to reduce the handoff latency by removing the CoTI/CoT exchange.
  • the method comprises sending a connection request from said first host to said first access router, said request containing an IP address claimed by said second host, a new care-of- address for the first host, and a session identifier.
  • the router Upon receipt of said connection request at said first access router, the router obtains a verified IP address for said second access router and sends an on link presence request to the second access router, the request containing at least an Interface Identifier part of the second host's claimed IP address, said care-of-address, and said session identifier.
  • Said second access router confirms that said second host is attached to the second access router using the claimed Interface Identifier, sending to the second host said care-of-address and said session identifier.
  • the second access router then reports the presence status to said first access router.
  • Said second host uses said session identifier to identify said security association, and updates the binding cache entry for said first host with the new care-of-address.
  • Embodiments of the present may effectively replace the traditional care-of address reachability test which has "plagued” all existing mobility (e.g., MIPv6, OMIPv ⁇ , HIP) and multihoming protocols (e.g., SHIM6).
  • these embodiments defend against man-in-the-middle attacks without requiring the mobile node's involvement.
  • Explicit BU/BA message exchanges are avoided by securely piggybacking a "hint" on a network-based reachability test message sent to the correspondent node after attachment of the mobile node to a local network. The hint points to the previous session. Elimination of the explicit BU/BA exchange reduces system latency. At the same time the procedure makes it difficult for a malicious node to detect that a mobile node has moved from one access network to another.
  • said first router obtains, together with said verified IP address, a public key of said second access router, and authenticates the presence status report sent by the second access router using said public key.
  • the verified IP address for said second access router is retrieved by the first access router from a trusted network server.
  • the router Following receipt of said on link presence request at said second access router, the router obtains a public key of said first access router, and authenticating the request with that key. Said public key of the first access router is retrieved by the second access router from a trusted network server.
  • Said care-of-address and said session identifier are sent from the second access router to the second host in a Neighbour Discovery message.
  • Said connection request includes a secret key shared between the first and second hosts and associated with said security association, said secret key also being included in a Neighbour Discover response sent from said second host to said access router, the secret key being used by the access routers to authenticate the presence status report.
  • the invention is applicable in particular to the where said first and second access routers share a pair of group keys (SGK, DGK) that are subsequently used by the routers to generate anonymised Interface Identifiers for use in the source and destination IPv6 addresses of the first and second hosts.
  • group keys SGK, DGK
  • the keys are generated at respective hosts and exchanged by the hosts.
  • an access router for use in an IP communication network.
  • the router comprises an input for receiving from a mobile node an attachment request, the request containing a care-of-address acquired by the mobile node, an IPv6 address claimed by a correspondent node of the mobile node, and a session identifier.
  • First processing means obtains a validated IP address for a peer access router behind which the correspondent node should be located, whilst output means forwards an on link presence request to said peer access router using said validated IP address and containing said care-of-address, the claimed IPv6 address, and said session identifier.
  • an access router for use in an IP communication network. This comprises an input for receiving from a peer access router an on link presence request containing a care-of-address acquired by a mobile node located behind said peer access router, an IPv6 address claimed by a correspondent node and containing an Interface Identifier part belonging to the access router, and a session identifier, and processing means for confirming that said correspondent node is present on the local link including means for sending said care- of-address and said session identifier to said correspondent node.
  • the router further comprises output means for reporting a link status to said peer access router.
  • a mobile node for use in an IP communication network.
  • the node comprises processing means for establishing a session with a correspondent node, said session comprising one or more security associations and a session identifier identifying the session, and attachment means for detaching from a previous access router and for attaching to a new access router.
  • the attachment means is arranged to send an attachment request to the new access router, the attachment request containing an IPv6 address of said correspondent node, a care-of-address claimed by said correspondent node, said session identifier, and a prefix reachability request in respect of the Interface Identifier part of the correspondent node's claimed IP address.
  • Input means receives reachability confirmation in respect of said claimed IP address from said access router, whilst a packet processing means is provided for exchanging packets with said correspondent node following receipt of said confirmation.
  • the new access router Following movement of a mobile node to a new access router, the new access router is immediately able to send a new group key to the correspondent node's access router by embedding it in a prefix reachability detection message, i.e. without waiting for an IKEv2 exchange as is the case in the classic PRD, and thus to extend the anonymity environment to the mobile node's new location.
  • a method of updating a binding cache entry at a correspondent node comprising sending from a first access router to which the mobile node is attached to a second access router to which the correspondent node is attached, an IPv6 prefix reachability detection request in respect of an IPv6 address claimed by the correspondent node and including in the request a care-of-address acquired by the mobile node and a hint identifying said session, performing a reachability detection check at said second access router and, in the event that reachability is confirmed, using said hint at the correspondent host to identify said session and said binding cache entry, and updating the entry with said care-of-address.
  • said hint is a parameter used by the access routers to anonymise the Interface Identifier parts of source and/or destination addresses contained within packets exchanged between said mobile node and said correspondent node. More preferably, the hint is a parameter used by said first access router to anonymise the HD part of destination addresses contained within packets sent from the mobile node to the destination node.
  • the hint may be a 64 bit destination host identifier (DHID) which is XORed with a 64 bit prefix identifier (PRID) in order to generate an anonymised HD, where PRID is obtained by applying a stream cipher to a pseudo- random number (PRN) and first group key (SGK) shared by the access routers.
  • PRN pseudo- random number
  • SGK first group key
  • Figure 1 illustrates schematically a process for generating an encryption pad at an IP packet sender
  • Figure 2 illustrates signalling associated with setting up a pad for encrypting and anonymising IP packets
  • Figure 3 illustrates schematically a process for generating a new IPv6 HD for a destination host
  • Figure 4 illustrates schematically a process for recovering, at an access router of an IP packet receiver, a destination identity
  • Figure 5 illustrates signalling associated with a prefix reachability detection scheme forming part of a mobility protocol
  • Figure 6 illustrates mobility signalling following movement of a mobile node from a first access router to a new access router
  • Figure 7 illustrates schematically a mobile node and access router suitable for use in mobility protocol embodying the present invention.
  • This protocol makes use of an encryption function known as a "One Time Pad Encryption" (OTPE) function.
  • this function comprises a stream cipher 1 which receives as a first input a first 128 bit session key (Session key 1) and as a second input a 64 bit pseudo-random number.
  • the pseudo-random number is in turn generated by a block cipher 2 which receives as a first input a second 128 bit session key (Session key 2) and a counter value (Counter).
  • the block cipher is preferably, but not necessarily, an AES encryption function (e.g. in ECB mode).
  • the counter value is incremented by 1.
  • the output of the block cipher 2 is a new pseudo-random number (PSN). This is fed into the stream cipher which is clocked to generate a pad of appropriate length to secure an IP packet, including the header and payload. Bit positions of the pad which correspond to positions of the packet which are not to be encrypted, e.g. source and destination addresses in the packet header, are reset to "0" by a first XOR function 3.
  • the pad output by the first XOR function 3 is then applied to a first input of a second XOR function 4, which receives at its second input the IP packet to be secured.
  • the output of the second XOR function is a cryptographically secured representation of the original IP packet.
  • the packet In order to allow a receiver to decrypt the packet, the packet must include the used pseudo-random number. As will be discussed below, the pseudorandom number is included in the IPv6 packet header.
  • an initial check is performed using the pseudo-random number and Session key 2 as inputs to the block cipher.
  • the result corresponds to the counter value.
  • the receiver maintains a counter value window, and the packet is accepted only if the determined counter value lies within this window.
  • the pseudo-random number part of the packet is applied to a first input to a stream cipher, whilst the first Session key is applied to a second input.
  • the output of the stream cipher is the original pad. Bits of the pad corresponding to bits of the packet which are not encrypted are then set to "0".
  • the modified pad is applied to a first input of a further XOR function, with the second input receiving the secured packet.
  • the output of the XOR function is the decrypted packet.
  • IPv6 provides for IP addresses having a 64 bit Interface Identifier (HD) suffix and a 64 bit network prefix.
  • the HD is chosen by the host terminal and is sent to an Access Router (AR) to which the host is connected, during an attachment procedure.
  • AR Access Router
  • the network prefix part of the IP address is a fixed address of the AR and the host is informed of this in an AR advertisement message.
  • anonymity can be enabled. This means that no particular HD is disclosed in more than one data packet during an ongoing session.
  • the OTPE function described above can be used to generate the randomized HD in a process termed Anonymous OTPE (AOTPE).
  • AOTPE Anonymous OTPE
  • AOTPE relies upon an acceptance that it is extremely difficult to ensure anonymity for hosts attached to the same access network, i.e. sharing a common AR.
  • An access network to which two mobile terminals are attached. Each of these terminals will know that traffic not intended for itself is destined to the other terminal. Furthermore, regardless of the source and destination addresses used in packets sent over the local link, the Media Access Control (MAC) addresses used should remain static. Applying this in the case of a set of hosts attached to a first AR and communicating with a set of hosts attached to a second AR means that there is no reduction in the level of security if keys used to provide anonymity of IIDs are shared between the two sets of hosts. Anonymity is provided only in respect of third parties analysing traffic travelling between the two ARs.
  • CGAs Cryptographically Generated Addresses
  • S Prior to running a key exchange protocol (e.g. IKEv2) with D, S requests that AR(S) generate a group key SGK.
  • This group key is a key assigned by AR(S) to the network prefix used by D, i.e. DP.
  • the same group key will be provided for all hosts using the network prefix SP to communicate with destination hosts using the network prefix DP, i.e. the binding ⁇ SGK,SP,DP ⁇ is made.
  • Group keys have a limited lifetime.
  • S generates a unique sender host identity (SHID) and a unique destination host identity (DHID) using the keys shared with D, and sends these to AR(S).
  • SHID sender host identity
  • DHID unique destination host identity
  • S then initiates the key exchange protocol with D using a static pseudo-IPv ⁇ (CGA) address.
  • CGA static pseudo-IPv ⁇
  • D requests that AR(D) generate a group key DGK.
  • This key is similarly bound to DP and SP, i.e. ⁇ DGK,DP,SP ⁇ .
  • D also generates SHID and DHID and provides these to AR(D).
  • AR(D) and AR(S) then securely exchange SGK and DGK.
  • SHID is subsequently used by AR(S) to identify packets received from AR(D).
  • Table 1 shows the bindings that are maintained at S and D, assuming that each host has established bindings for n different peer hosts (DPl,DP2...DPn in the case of S, and SPl,SP2,...SPn in the case of D). Although not shown in the Tables, S and D also maintain mappings between SHID and D's fixed IP address and between DHID and S's fixed IP address.
  • Table 2 shows the bindings maintained at AR(S), assuming that n hosts are currently attached using MAC addresses 1 to n and interface identifiers HD 1 to WOn (of respective CGA IP addresses). A corresponding set of bindings are maintained at
  • FIG. 2 illustrates schematically the required message exchange which takes place prior to, and within the key exchange protocol.
  • the hosts S and D will share the two OTPE keys, namely Session key 1 and Session key 2 of
  • S For each packet sent by S to D, S carries out the following: • Packets are generated at S and include the fixed IPv6 source and destination address.
  • • S applies the OTPE protocol to encrypt the payload and portions of the packet header, e.g. the sequence number, but excluding the source and destination addresses. • S includes PSN within a new header field and sends the packet to AR(S).
  • IPv6 HD A new IPv6 HD will be used for D in the following way:
  • new HD PRID XOR SHID.
  • the new HD is then concatenated with the destination network prefix DP to generate a full IPv6 destination address. This mechanism is illustrated in Figure 3.
  • the new HD is concatenated with the source network prefix to generate a full IPv6 source address.
  • AR(S) substitutes the anonymised destination and source addresses into the packet header, replacing the fixed addresses, and the packet is sent by AR(S) towards D.
  • Packets destined for D arrive at AR(D) as a result of the network prefix of the destination address.
  • AR(D) performs a verification procedure as follows:
  • AR(D) checks if the source address network prefix is stored in its cache memory. After that, it uses the corresponding SGK together with the PSN, included in the packet header, to generate the PRID, as illustrated in Figure 4.
  • the next step after generating the PRID is to XOR it with the destination address HD to generate a SHID.
  • the cache memory at AR(D) is then searched using the resulting 64-bit value as key. If the SHID is found within the cache, AR(D) identifies the associated static HD for D and replaces the anonymised destination address HD with this fixed HD.
  • AR(D) is able to identify the MAC address of D.
  • AR(D) uses the MAC address to forward the packet to D.
  • D repeats the procedure to identify the correct SHID.
  • the verified SHID it identifies the correct Session Key 2.
  • D applies the PSN (included in the packet header) and Session Key 2 to identify a counter value. If the counter value falls within a current window, the packet is accepted. Session Key 1 and the PSN are then used to decrypt the packet using the OTPE protocol as described above.
  • D is also able to identify the fixed HD of S, and substitutes this into the packet header for the anonymised source HD before passing the packet to the higher protocol layers.
  • AR(S) upon receipt of a packet at AR(S), AR(S) recovers and verifies DHID and performs the necessary substitution (including substituting the anonymised source address HD for the fixed HD). It then identifies the MAC address corresponding to DHID and forwards the packet to S over the local link.
  • a MN In order to allow a MN to be always reachable, some mechanism must be introduced to provide a static point of contact for the MN. This might involve the use of a Home Address (HoA) as discussed above with reference to Mobile IP, or it might involve the use of the Host Identity Protocol (HIP) according to which hosts are reachable at a fixed Host Identity.
  • HoA Home Address
  • HIP Host Identity Protocol
  • the fixed IP address of the MN referred to above (and for which the anonymised address is substituted) becomes a Care-of-Address (CoA), with a mobility layer (binding cache) within the MN performing a translation between the CoA and the HoA or HI.
  • CoA Care-of-Address
  • PRD Prefix Reachability Detection
  • S requests AR(S) to perform a PRD check in respect of D's IP address. For this purpose, S sends a Prefix Reachability
  • Ksh is derived from the hash of the IKEv2 session key Ks and a hint, H.
  • the PRR message is signed with S's private key and the option carrying Ksh is encrypted with AR(S) 's public key.
  • Both S and D use the same method to derive Ksh, e.g.
  • Ksh First[ 128, Hash[ Hash(Ks)
  • Hash is a secure cryptographic function.
  • Ks is IKEv2 session key.
  • IID(D) (D)'s IP address interface identifier.
  • IID(S) (S)'s IP address interface identifier.
  • I indicates bytewise concatenation, as in A
  • AR(S) receives the PRR and attempts to validate it using S's public key. Assuming that validation is successful, AR(S) performs a "prefix lookup" using D's 64-bit prefix (IPPd), in order to learn the corresponding IP address (IP AR(D) ) and public key Kpd of AR(D). It is assumed that some trusted network server (TNS) is provided for this purpose, and that a secure look-up protocol is available. AR(S) then sends an "On Link Presence Request" (OLPR) message to AR(D), which carries D's 64-bit interface identifier (IID D ), S'S COA including its 64-bit prefix (IPPs), and a 64-bit nonce (n). The IP destination address used in the OLPR message is the one sent to AR(S) in response to its query related to D's prefix. AR(S) authenticates the OLPR message with Ksh and signs it with its own private key.
  • IPPd D's 64-
  • AR(D) Upon receiving an OLPR message, AR(D) starts the validation procedure by performing a look-up on S's prefix in order to fetch the corresponding IP address (IP AR(S) ) and public key(s), Kps. Again, this relies upon the existence of a trusted network server and a secure look-up protocol. AR(D) then checks the validity of the IP source address used in the OLPR message by confirming that it matches the IP address returned from the trusted server. This represents a first level of defence, but it will not prevent (at this stage) an attack using a spoofed source address. AR(D) then checks whether or not the requested HD is present on the local link.
  • AR(D) uses the neighbor discovery protocol (described in RFC2461) and inserts S's CoA in the ND message.
  • AR(D) authenticates (or signs) the ND message using its private key Kpd, before sending it on the local link.
  • D Assuming that D is indeed present on the local link, it receives the ND message and determines the hint H (which may be explicitly carried in the message or reconstructed from the Interface Identifiers). D updates its binding cache entry for S's IP address using the CoA, and replies to AR(D) with an ND message containing Ksh (calculated using the above formula). Ksh is inserted in an option encrypted using AR(D) 's public key, Kpd. The message is also signed using D's private key.
  • AR(D) validates the ND message using its public key, and decrypts Ksh using its own private key.
  • AR(D) uses Ksh to check the authenticity of the OLPR message previously received from AR(S). It is noted that this authentication step is not computationally expensive. If the message is authenticated, then AR(D) proceeds to check the signature using its public key Kps (a more computationally expensive process), then sends back an "On Link Presence Confirmation (OLPC)" message to AR(S).
  • the OLPC message carries the nonce sent in the OLPR message.
  • the OLPC message is authenticated with the shared key Ksh and signed with AR(D) 's private key.
  • AR(D) does not get a valid reply from D (i.e., a message conveying Ksh)
  • AR(D) sends an "On link Prefix Denial (OLPD)" message to AR(S). It follows that the OLPR message cannot be authenticated and in this case, the OLPD is signed with AR(D) ' s private key.
  • AR(S) After checking the validity of OLPC/OLPD using Ksh and Kpd, AR(S) notifies S of the success/failure of its PRR message. This is done by sending a "Prefix Reachability Acknowledgment" (PRA) message to S. The PRA message is signed with AR(S) 's private key. The OLPD message is reflected in the PRA message by setting the "Alert" (A) bit. Following receipt of a valid PRA message, S can decide whether or not to pursue the data exchange with D, and in particular to perform the AOTPE establishment phase.
  • PRA Prefix Reachability Acknowledgment
  • the PRD procedure can be repeated periodically during the data exchange between S and D and indeed this is desirable to ensure that one of the parties does not subsequently move out from behind its access router and initiate a "sniffing" attack on the link between the routers (using SGK and DGK).
  • the endpoint that remains behind its access router will determine from the repeat PRD procedure that the other endpoint has moved and can stop sending traffic. This event may also trigger the access routers to renegotiate the group keys DGK, SGK.
  • the endpoints S and D share a pair of session keys (Session Key 1 and 2) and DHID/SHID.
  • the access routers AR(S) and AR(D) also share DHID/SHID, as well as the group keys SGK and DGK.
  • the endpoints can be confident that they are communicating directly with one another and not via a man-in-the middle. Also, as described, repeating the PRD process at regular intervals allows the access routers to detect when an endpoint has left the local network and to take appropriate action.
  • Figure 5 illustrates a signalling flow associated with this initial PRD process, assuming that all authentications and checks are carried out successfully.
  • S In order to allow S to continue with its ongoing communication with D, S must communicate the new CoA to D.
  • S sends a PRR message to AR(N) in order to trigger AR(N) to perform a Prefix Reachability Detection (PRD) test on D's HD.
  • PRD Prefix Reachability Detection
  • the PRR message carries the key shared between S and D, namely Ksh. This Ksh may be the same key used previously, or it may be a refreshed key.
  • S also includes in the PRR message its static identifier, e.g. HoA or HI, the previously determined DHID and SHID, and its new CoA.
  • the PRR may be piggybacked on a
  • AR(N) fetches AR(D) 's public key and IP address from the trusted network server, using D's claimed prefix. AR(N) then determines whether or not it already has a shared
  • SGKn/DGKn with AR(D) may exist due to previous communication between hosts located behind AR(N) and AR(D). In the event that no group keys are already shared by the access routers, AR(N) generates a new group key SGKn.
  • AR(N) then sends an OLPR message to AR(D) and includes in this S's static identifier as well as the CoA, inserted in a new option(s).
  • AR(N) also includes in the OLPR a new group key SGKn, if one was generated, as well as DHID, encrypted with AR(D)'s public key, Kps.
  • DHID will act as a session identifier to D.
  • AR(D) Upon receipt of the OLPR at AR(D), AR(D) validates AR(N) using the trusted server and the procedure described above. It then checks for D's presence on the local link at the IID contained within the OLPR, including S's static identifier, CoA and the DHID in the ND message. D uses DHID to fetch the previously negotiated Security Association, including Session keys 1 and 2, and to update its binding cache entries with the new CoA. Assuming that D is present on the local link, it returns Ksh to AR(D), and AR(D) uses this key to authenticate the OLPR as "belonging" to S. D also includes in the ND that it sends to AR(D), the previously used SHID. AR(D) generates a new group key DGKn if necessary, and then updates its binding cache entry with DHID and SHID and the new group keys.
  • the next step is for AR(D) to send an OLPC to AR(N) in the event that all procedures have been completed successfully, including if necessary DGKn encrypted with AR(S)'s public key. Otherwise AR(D) returns an OLPD denial.
  • AR(S) receives an OLPC and is able to validate the signature, it sends a PRA to S.
  • S can be confident that D is located within the network that owns the network prefix that D wishes to use, and vice versa. Furthermore, S and D can be confident that they are communicating directly with one another and not via a man-in- the-middle attacker. S and D can begin sending packets to one another using the AOTPE procedure described above.
  • FIG. 7 illustrates schematically a mobile node (S) and an access router suitable for implementing the mobility protocol presented here.
  • a memory 2 for storing DHID, SHID and other required parameters.
  • a functional block 3 performs the AOTPE negotiation with a peer node via the ARs, whilst a functional block 4 is responsible for on-the-fly pad encryption (and decryption) of packets, including incorporating into outgoing packets the appropriate PSN.
  • An interface 14 connects the MN to the AR.
  • a database 6 stores all session related data (see Table 2 below), whilst a functional block 7 is responsible for PRD and AOTPE establishment.
  • a further functional block 8 handles on-the-fly IID substitution for incoming and outgoing packets, as well as local network routing based upon DHID and SHID.
  • a first interface 12 connects the AR to the MN, whilst a second interface 13 connects it to the CN.
  • correspondent node CN 9 connects it to the CN.
  • CN access router 10 connects it to the CN.
  • CN also illustrated in Figure 7 are correspondent node CN 9, and a CN access router 10.
  • a trusted server 11 Also illustrated is a trusted server 11. The procedure described above efficiently integrates a prefix reachability test with the IP address anonymisation setup process. The signalling is very efficient as it relieves S from running a care-of address reachability test (which may be susceptible to a spoofing attack) with D, whilst also relieving it from exchanging a BU/BA following the reachability test.
  • the new access router will just receive a new DHID from the mobile node upon attachment.
  • This DHID is pre-computed by the mobile node and pre-stored by the correspondent node in the corresponding binding cache entry (BCE).
  • BCE binding cache entry

Abstract

According to a first aspect of the present invention there is provided a method of re- establishing a session between first and second IP hosts attached to respective first and second IP access routers, the session previously having been conducted via a previous access router to which said first host was attached, and where a security association comprising a shared secret has been established between the hosts. The method comprises sending a connection request from said first host to said first access router, said request containing an IP address claimed by said second host, a new care-of- address for the first host, and a session identifier. Upon receipt of said connection request at said first access router, the router obtains a verified IP address for said second access router and sends an on link presence request to the second access router, the request containing at least an Interface Identifier part of the second host's claimed IP address, said care-of-address, and said session identifier. Said second access router confirms that said second host is attached to the second access router using the claimed Interface Identifier, sending to the second host said care-of-address and said session identifier. The second access router then reports the presence status to said first access router. Said second host uses said session identifier to identify said security association, and updates the binding cache entry for said first host with the new care-of-address.

Description

RE-ESTABLISHMENT OF A SECURITY ASSOCIATION
Technical field
The invention relates to IP mobility and is applicable in particular to maintaining privacy in respect of traffic involving one or more mobile nodes.
Background
Mobile IP (MIP), which is described in IETF RFC 3775, allows users of mobile communications devices to move from one network to another whilst maintaining a permanent IP address, regardless of which network they are in. This allows a user to maintain connections whilst on the move. For example, if a Mobile Node (MN) were participating in a Voice Over IP (VoIP) session with a Correspondent Node (CN), which might be fixed or mobile, and, during the session the MN moved from one network to another, without MIP support the MN's IP address may change. This would lead to problems with the VoIP session. Mobile IP relies upon the provision, within a MN's home network, of a Home Agent (HA). The MN is allocated a Home Address (HoA) within the home network, as well as a C are-of- Address (CoA) within a visited network. Packets exchanged between MN and the CN are tunnelled between the HA and the MN using the CoA as source/destination address.
Route Optimisation (RO) is a procedure used in mobility networks to improve the efficiency with which messages are sent between a MN and a CN. More particularly, RO allows traffic sent from the CN to the MN to be routed directly to the MN without passing through the HA. Mobility Support in IPv6 (IETF RFC3775 June 2004) describes a RO procedure for messages sent to the MN from a CN. This approach requires (for each location update) that a pair or reachability tests be performed between the MN and the CN. A first test (HoTI/HoT) ensures reachability of the MN at the HoA, and a second (CoTI/CoT) ensures reachability of the MN at the CoA. The HoT and CoT messages each contain a token, with the tokens being combined at the MN to generate a secret (shared with the CN). A subsequent Binding Update (BU) and Binding Acknowledgement are signed with the shared key. RO requires that both the CoA and HoA reachability tests be repeated at regular intervals, e.g. typically every 7 minutes, in order to limit the damage that can be caused by a time shifting attack in which a MN moves to a new network but does not update the CN, resulting in flooding of the old network.
An enhanced RO protocol has been proposed (IETF RFC4866). This enhanced protocol introduces the use of Cryptographically Generated Addresses CGA as HoAs, with BUs being signed with the sender's private key. The use of CGAs avoids the need for further HoA reachability tests after an initial test has been performed: after the initial test, the CN can trust that the MN has not only generated the CGA but that it had the right to do so. As well as improving security, the enhanced RO protocol reduces mobility related signalling.
Various security vulnerabilities are present within the existing RO proposals. In particular, it may be possible for an attacker present on the link between a MN and a CN, i.e. a man-in-the-middle, to observe patterns within packet streams and to thereby track the movements of the MN. An attacker could for example scan BUs sent between a MN and a CN. The BUs will reveal both the HoA and CoA of the MN, and the CNs IP address. By looking for consecutive (or similar) header sequence numbers, the attacker can follow the MN's movements between access networks.
It is desirable to introduce a degree of anonymity and unlinkability into IP packet streams to prevent the tracking of movements of mobile nodes within and between access networks whilst at the same time defending against flooding and related attacks, but to do this efficiently and securely in terms of the set-up signalling involved and the provisioning of mobility. Also it is equally desirable to relieve the mobile node from having to exchange any mobility signalling directly with the corresponding node, as well as to reduce the handoff latency by removing the CoTI/CoT exchange.
Summary
According to a first aspect of the present invention there is provided a method of reestablishing a session between first and second IP hosts attached to respective first and second IP access routers, the session previously having been conducted via a previous access router to which said first host was attached, and where a security association comprising a shared secret has been established between the hosts. The method comprises sending a connection request from said first host to said first access router, said request containing an IP address claimed by said second host, a new care-of- address for the first host, and a session identifier. Upon receipt of said connection request at said first access router, the router obtains a verified IP address for said second access router and sends an on link presence request to the second access router, the request containing at least an Interface Identifier part of the second host's claimed IP address, said care-of-address, and said session identifier. Said second access router confirms that said second host is attached to the second access router using the claimed Interface Identifier, sending to the second host said care-of-address and said session identifier. The second access router then reports the presence status to said first access router. Said second host uses said session identifier to identify said security association, and updates the binding cache entry for said first host with the new care-of-address.
Embodiments of the present may effectively replace the traditional care-of address reachability test which has "plagued" all existing mobility (e.g., MIPv6, OMIPvό, HIP) and multihoming protocols (e.g., SHIM6). In addition, these embodiments defend against man-in-the-middle attacks without requiring the mobile node's involvement. Explicit BU/BA message exchanges are avoided by securely piggybacking a "hint" on a network-based reachability test message sent to the correspondent node after attachment of the mobile node to a local network. The hint points to the previous session. Elimination of the explicit BU/BA exchange reduces system latency. At the same time the procedure makes it difficult for a malicious node to detect that a mobile node has moved from one access network to another.
According to an embodiment of the invention, said first router obtains, together with said verified IP address, a public key of said second access router, and authenticates the presence status report sent by the second access router using said public key. The verified IP address for said second access router is retrieved by the first access router from a trusted network server.
Following receipt of said on link presence request at said second access router, the router obtains a public key of said first access router, and authenticating the request with that key. Said public key of the first access router is retrieved by the second access router from a trusted network server.
Said care-of-address and said session identifier are sent from the second access router to the second host in a Neighbour Discovery message. Said connection request includes a secret key shared between the first and second hosts and associated with said security association, said secret key also being included in a Neighbour Discover response sent from said second host to said access router, the secret key being used by the access routers to authenticate the presence status report.
The invention is applicable in particular to the where said first and second access routers share a pair of group keys (SGK, DGK) that are subsequently used by the routers to generate anonymised Interface Identifiers for use in the source and destination IPv6 addresses of the first and second hosts. In the event that said group keys are not shared by the access routers prior to receipt by the first access router of said connection request, the keys are generated at respective hosts and exchanged by the hosts.
According to a second aspect of the present invention there is provided an access router for use in an IP communication network. The router comprises an input for receiving from a mobile node an attachment request, the request containing a care-of-address acquired by the mobile node, an IPv6 address claimed by a correspondent node of the mobile node, and a session identifier. First processing means obtains a validated IP address for a peer access router behind which the correspondent node should be located, whilst output means forwards an on link presence request to said peer access router using said validated IP address and containing said care-of-address, the claimed IPv6 address, and said session identifier.
According to a third aspect of the present invention there is provided an access router for use in an IP communication network. This comprises an input for receiving from a peer access router an on link presence request containing a care-of-address acquired by a mobile node located behind said peer access router, an IPv6 address claimed by a correspondent node and containing an Interface Identifier part belonging to the access router, and a session identifier, and processing means for confirming that said correspondent node is present on the local link including means for sending said care- of-address and said session identifier to said correspondent node. The router further comprises output means for reporting a link status to said peer access router.
According to a fourth aspect of the present invention there is provided a mobile node for use in an IP communication network. The node comprises processing means for establishing a session with a correspondent node, said session comprising one or more security associations and a session identifier identifying the session, and attachment means for detaching from a previous access router and for attaching to a new access router. The attachment means is arranged to send an attachment request to the new access router, the attachment request containing an IPv6 address of said correspondent node, a care-of-address claimed by said correspondent node, said session identifier, and a prefix reachability request in respect of the Interface Identifier part of the correspondent node's claimed IP address. Input means receives reachability confirmation in respect of said claimed IP address from said access router, whilst a packet processing means is provided for exchanging packets with said correspondent node following receipt of said confirmation.
Following movement of a mobile node to a new access router, the new access router is immediately able to send a new group key to the correspondent node's access router by embedding it in a prefix reachability detection message, i.e. without waiting for an IKEv2 exchange as is the case in the classic PRD, and thus to extend the anonymity environment to the mobile node's new location.
According to a further aspect of the present invention there is provided a method of updating a binding cache entry at a correspondent node, the entry relating to a session previously established between the correspondent node and a peer node, the method comprising sending from a first access router to which the mobile node is attached to a second access router to which the correspondent node is attached, an IPv6 prefix reachability detection request in respect of an IPv6 address claimed by the correspondent node and including in the request a care-of-address acquired by the mobile node and a hint identifying said session, performing a reachability detection check at said second access router and, in the event that reachability is confirmed, using said hint at the correspondent host to identify said session and said binding cache entry, and updating the entry with said care-of-address. Preferably, said hint is a parameter used by the access routers to anonymise the Interface Identifier parts of source and/or destination addresses contained within packets exchanged between said mobile node and said correspondent node. More preferably, the hint is a parameter used by said first access router to anonymise the HD part of destination addresses contained within packets sent from the mobile node to the destination node. For example, the hint may be a 64 bit destination host identifier (DHID) which is XORed with a 64 bit prefix identifier (PRID) in order to generate an anonymised HD, where PRID is obtained by applying a stream cipher to a pseudo- random number (PRN) and first group key (SGK) shared by the access routers. A new PSN is generated by said mobile node for each packet using a key shared between the mobile node and the correspondent node, and is included in a packet header field.
Brief Description of the Drawings
Figure 1 illustrates schematically a process for generating an encryption pad at an IP packet sender;
Figure 2 illustrates signalling associated with setting up a pad for encrypting and anonymising IP packets; Figure 3 illustrates schematically a process for generating a new IPv6 HD for a destination host;
Figure 4 illustrates schematically a process for recovering, at an access router of an IP packet receiver, a destination identity;
Figure 5 illustrates signalling associated with a prefix reachability detection scheme forming part of a mobility protocol;
Figure 6 illustrates mobility signalling following movement of a mobile node from a first access router to a new access router; and
Figure 7 illustrates schematically a mobile node and access router suitable for use in mobility protocol embodying the present invention.
Detailed Description
There will now be described an IP mobility protocol with improved security. This protocol makes use of an encryption function known as a "One Time Pad Encryption" (OTPE) function. With reference to Figure 1 , this function comprises a stream cipher 1 which receives as a first input a first 128 bit session key (Session key 1) and as a second input a 64 bit pseudo-random number. The pseudo-random number is in turn generated by a block cipher 2 which receives as a first input a second 128 bit session key (Session key 2) and a counter value (Counter). The block cipher is preferably, but not necessarily, an AES encryption function (e.g. in ECB mode). For each packet to be secured using OTPE, the counter value is incremented by 1. The output of the block cipher 2 is a new pseudo-random number (PSN). This is fed into the stream cipher which is clocked to generate a pad of appropriate length to secure an IP packet, including the header and payload. Bit positions of the pad which correspond to positions of the packet which are not to be encrypted, e.g. source and destination addresses in the packet header, are reset to "0" by a first XOR function 3.
The pad output by the first XOR function 3 is then applied to a first input of a second XOR function 4, which receives at its second input the IP packet to be secured. The output of the second XOR function is a cryptographically secured representation of the original IP packet. In order to allow a receiver to decrypt the packet, the packet must include the used pseudo-random number. As will be discussed below, the pseudorandom number is included in the IPv6 packet header.
Considering now the receiver, in order to avoid replay attacks, an initial check is performed using the pseudo-random number and Session key 2 as inputs to the block cipher. The result corresponds to the counter value. The receiver maintains a counter value window, and the packet is accepted only if the determined counter value lies within this window. Assuming that it does, the pseudo-random number part of the packet is applied to a first input to a stream cipher, whilst the first Session key is applied to a second input. The output of the stream cipher is the original pad. Bits of the pad corresponding to bits of the packet which are not encrypted are then set to "0". The modified pad is applied to a first input of a further XOR function, with the second input receiving the secured packet. The output of the XOR function is the decrypted packet.
IPv6 provides for IP addresses having a 64 bit Interface Identifier (HD) suffix and a 64 bit network prefix. Typically, the HD is chosen by the host terminal and is sent to an Access Router (AR) to which the host is connected, during an attachment procedure. The network prefix part of the IP address is a fixed address of the AR and the host is informed of this in an AR advertisement message. By allowing a host to refresh its HD in each data packet sent to a destination, anonymity can be enabled. This means that no particular HD is disclosed in more than one data packet during an ongoing session. In addition to changing the sender's HD in each data packet, it is highly desirable to also change the receiver's (i.e. destination) IPv6 address. The OTPE function described above can be used to generate the randomized HD in a process termed Anonymous OTPE (AOTPE).
AOTPE relies upon an acceptance that it is extremely difficult to ensure anonymity for hosts attached to the same access network, i.e. sharing a common AR. Consider for example an access network to which two mobile terminals are attached. Each of these terminals will know that traffic not intended for itself is destined to the other terminal. Furthermore, regardless of the source and destination addresses used in packets sent over the local link, the Media Access Control (MAC) addresses used should remain static. Applying this in the case of a set of hosts attached to a first AR and communicating with a set of hosts attached to a second AR means that there is no reduction in the level of security if keys used to provide anonymity of IIDs are shared between the two sets of hosts. Anonymity is provided only in respect of third parties analysing traffic travelling between the two ARs.
Consider by way of example a source host S trying to establish a connection with a destination host D. Both S and D are assumed to make use of respective Cryptographically Generated Addresses (CGAs). CGAs have been discussed above in the context of enhance Route Optimisation. It will be appreciated that the use of CGAs requires hosts to possess a public-private key pair. The possession of such a key pair proves useful in ensuring end-to-end security as will be discussed further below. It is assumed that S is attached to an access router AR(S) and that D is attached to an access router AR(D). As part of their respective access router attachment procedures, S will have obtained from AR(S) a network prefix SP, and D will have obtained from AR(D) a network prefix DP. Prior to running a key exchange protocol (e.g. IKEv2) with D, S requests that AR(S) generate a group key SGK. This group key is a key assigned by AR(S) to the network prefix used by D, i.e. DP. The same group key will be provided for all hosts using the network prefix SP to communicate with destination hosts using the network prefix DP, i.e. the binding {SGK,SP,DP} is made. Group keys have a limited lifetime. In addition, S generates a unique sender host identity (SHID) and a unique destination host identity (DHID) using the keys shared with D, and sends these to AR(S).
S then initiates the key exchange protocol with D using a static pseudo-IPvό (CGA) address. When the initiating message (e.g. IKEv2 or HIP) is received by D, D requests that AR(D) generate a group key DGK. This key is similarly bound to DP and SP, i.e. {DGK,DP,SP}. D also generates SHID and DHID and provides these to AR(D). AR(D) and AR(S) then securely exchange SGK and DGK. SHID is subsequently used by AR(S) to identify packets received from AR(D).
Table 1 below shows the bindings that are maintained at S and D, assuming that each host has established bindings for n different peer hosts (DPl,DP2...DPn in the case of S, and SPl,SP2,...SPn in the case of D). Although not shown in the Tables, S and D also maintain mappings between SHID and D's fixed IP address and between DHID and S's fixed IP address.
Table 2 below shows the bindings maintained at AR(S), assuming that n hosts are currently attached using MAC addresses 1 to n and interface identifiers HD 1 to WOn (of respective CGA IP addresses). A corresponding set of bindings are maintained at
AR(D). Figure 2 illustrates schematically the required message exchange which takes place prior to, and within the key exchange protocol. Of course, at the end of the key exchange protocol, in addition to sharing the host identities DHID and SHID, the hosts S and D will share the two OTPE keys, namely Session key 1 and Session key 2 of
Figure 1.
In order to achieve encryption and anonymity, for each packet sent by S to D, S carries out the following: • Packets are generated at S and include the fixed IPv6 source and destination address.
• S applies the OTPE protocol to encrypt the payload and portions of the packet header, e.g. the sequence number, but excluding the source and destination addresses. • S includes PSN within a new header field and sends the packet to AR(S).
A new IPv6 HD will be used for D in the following way:
• AR(S) will use the same mode applied to generate PSN, in order to generate a random identifier, called PRID, that is PRID = /SC(PSN,SGK), where fsc represents the stream cipher. NB. AR(S) knows PSN as it forms the HD part of the source IP address.
• After generating PRID, AR(S) computes the new destination IPv6 HD by XORing PRID and SHID, i.e., new HD = PRID XOR SHID. The new HD is then concatenated with the destination network prefix DP to generate a full IPv6 destination address. This mechanism is illustrated in Figure 3.
In the same way, AR(S) generates a new interface identifier for S, i.e. new HD = PRID XOR DHID. The new HD is concatenated with the source network prefix to generate a full IPv6 source address.
AR(S) substitutes the anonymised destination and source addresses into the packet header, replacing the fixed addresses, and the packet is sent by AR(S) towards D.
Packets destined for D arrive at AR(D) as a result of the network prefix of the destination address. AR(D) performs a verification procedure as follows:
• AR(D) checks if the source address network prefix is stored in its cache memory. After that, it uses the corresponding SGK together with the PSN, included in the packet header, to generate the PRID, as illustrated in Figure 4.
• The next step after generating the PRID is to XOR it with the destination address HD to generate a SHID. The cache memory at AR(D) is then searched using the resulting 64-bit value as key. If the SHID is found within the cache, AR(D) identifies the associated static HD for D and replaces the anonymised destination address HD with this fixed HD.
• Using the verified SHID, AR(D) is able to identify the MAC address of D. AR(D) uses the MAC address to forward the packet to D. Upon receipt of the packet at D, D repeats the procedure to identify the correct SHID. Using the verified SHID, it identifies the correct Session Key 2. D applies the PSN (included in the packet header) and Session Key 2 to identify a counter value. If the counter value falls within a current window, the packet is accepted. Session Key 1 and the PSN are then used to decrypt the packet using the OTPE protocol as described above. D is also able to identify the fixed HD of S, and substitutes this into the packet header for the anonymised source HD before passing the packet to the higher protocol layers.
It will be readily appreciated that the precedure is effectively reversed when D is the packet sender, and S is the packet receiver. In this case, upon receipt of a packet at AR(S), AR(S) recovers and verifies DHID and performs the necessary substitution (including substituting the anonymised source address HD for the fixed HD). It then identifies the MAC address corresponding to DHID and forwards the packet to S over the local link.
In order to allow a MN to be always reachable, some mechanism must be introduced to provide a static point of contact for the MN. This might involve the use of a Home Address (HoA) as discussed above with reference to Mobile IP, or it might involve the use of the Host Identity Protocol (HIP) according to which hosts are reachable at a fixed Host Identity. In this case, the fixed IP address of the MN referred to above (and for which the anonymised address is substituted) becomes a Care-of-Address (CoA), with a mobility layer (binding cache) within the MN performing a translation between the CoA and the HoA or HI.
It will be appreciated that the procedure described above introduces sender and receiver anonymity into a packet flow, as well as providing for the encryption of payload (and possibly header) data. It does not however provide a defence against a man-in-the- middle attack in which an attacker interposes himself between the two access routers, negotiating separate Session keys, group keys, and DHIDs/SHIDs with each party (MN and CN).
In order to address these security issues, prior to initiating the AOTPE process, a Prefix Reachability Detection (PRD) process is implemented as illustrated in Figure 5. Such a process is described in "Enabling Source Address Verification via Prefix Reachability Detection" published as IETF Internet Draft draft-haddad-sava-prefix-reachability- detection-00 The main components of PRD are a secure and trustable "prefix routing lookup" mechanism and a secure on-demand query/response between the communicating endpoints and their first hop routers. This approach enables one endpoint S to check that the topological location of the other endpoint D maps correctly to that other endpoint' s claimed IP address prefix.
Following the IKv2 exchange between S and D, S requests AR(S) to perform a PRD check in respect of D's IP address. For this purpose, S sends a Prefix Reachability
Request (PRR) message to AR(S) which carries a secret, Ksh, D's fixed IP address
(IPd), and S's fixed IP address (CoA). Ksh is derived from the hash of the IKEv2 session key Ks and a hint, H. The PRR message is signed with S's private key and the option carrying Ksh is encrypted with AR(S) 's public key.
Both S and D use the same method to derive Ksh, e.g.
Ksh = First[ 128, Hash[ Hash(Ks) | IID(C) | IID(S) ]]
Where:
• First(X,Y) indicates a truncation of "Y" data so that only the first "X" bits remain to be used.
• Hash is a secure cryptographic function.
• Ks is IKEv2 session key.
• IID(D) = (D)'s IP address interface identifier.
• IID(S) = (S)'s IP address interface identifier. • "I" (concatenation): indicates bytewise concatenation, as in A|B. This concatenation requires that all of the octets of the datum A appear first in the result, followed by all of the octets of the datum B.
• 1ID(D) I IID(S) = Hint (H).
AR(S) receives the PRR and attempts to validate it using S's public key. Assuming that validation is successful, AR(S) performs a "prefix lookup" using D's 64-bit prefix (IPPd), in order to learn the corresponding IP address (IPAR(D)) and public key Kpd of AR(D). It is assumed that some trusted network server (TNS) is provided for this purpose, and that a secure look-up protocol is available. AR(S) then sends an "On Link Presence Request" (OLPR) message to AR(D), which carries D's 64-bit interface identifier (IIDD), S'S COA including its 64-bit prefix (IPPs), and a 64-bit nonce (n). The IP destination address used in the OLPR message is the one sent to AR(S) in response to its query related to D's prefix. AR(S) authenticates the OLPR message with Ksh and signs it with its own private key.
Upon receiving an OLPR message, AR(D) starts the validation procedure by performing a look-up on S's prefix in order to fetch the corresponding IP address (IPAR(S)) and public key(s), Kps. Again, this relies upon the existence of a trusted network server and a secure look-up protocol. AR(D) then checks the validity of the IP source address used in the OLPR message by confirming that it matches the IP address returned from the trusted server. This represents a first level of defence, but it will not prevent (at this stage) an attack using a spoofed source address. AR(D) then checks whether or not the requested HD is present on the local link. For this purpose, AR(D) uses the neighbor discovery protocol (described in RFC2461) and inserts S's CoA in the ND message. AR(D) authenticates (or signs) the ND message using its private key Kpd, before sending it on the local link.
Assuming that D is indeed present on the local link, it receives the ND message and determines the hint H (which may be explicitly carried in the message or reconstructed from the Interface Identifiers). D updates its binding cache entry for S's IP address using the CoA, and replies to AR(D) with an ND message containing Ksh (calculated using the above formula). Ksh is inserted in an option encrypted using AR(D) 's public key, Kpd. The message is also signed using D's private key.
AR(D) validates the ND message using its public key, and decrypts Ksh using its own private key. AR(D) uses Ksh to check the authenticity of the OLPR message previously received from AR(S). It is noted that this authentication step is not computationally expensive. If the message is authenticated, then AR(D) proceeds to check the signature using its public key Kps (a more computationally expensive process), then sends back an "On Link Presence Confirmation (OLPC)" message to AR(S). The OLPC message carries the nonce sent in the OLPR message. In addition, the OLPC message is authenticated with the shared key Ksh and signed with AR(D) 's private key. In the event that AR(D) does not get a valid reply from D (i.e., a message conveying Ksh), AR(D) sends an "On link Prefix Denial (OLPD)" message to AR(S). It follows that the OLPR message cannot be authenticated and in this case, the OLPD is signed with AR(D) ' s private key.
After checking the validity of OLPC/OLPD using Ksh and Kpd, AR(S) notifies S of the success/failure of its PRR message. This is done by sending a "Prefix Reachability Acknowledgment" (PRA) message to S. The PRA message is signed with AR(S) 's private key. The OLPD message is reflected in the PRA message by setting the "Alert" (A) bit. Following receipt of a valid PRA message, S can decide whether or not to pursue the data exchange with D, and in particular to perform the AOTPE establishment phase.
The PRD procedure can be repeated periodically during the data exchange between S and D and indeed this is desirable to ensure that one of the parties does not subsequently move out from behind its access router and initiate a "sniffing" attack on the link between the routers (using SGK and DGK). In such an event, the endpoint that remains behind its access router will determine from the repeat PRD procedure that the other endpoint has moved and can stop sending traffic. This event may also trigger the access routers to renegotiate the group keys DGK, SGK.
Following the running of the AOTPE establishment phase, the endpoints S and D share a pair of session keys (Session Key 1 and 2) and DHID/SHID. The access routers AR(S) and AR(D) also share DHID/SHID, as well as the group keys SGK and DGK. Following the running of the PRD process, the endpoints can be confident that they are communicating directly with one another and not via a man-in-the middle. Also, as described, repeating the PRD process at regular intervals allows the access routers to detect when an endpoint has left the local network and to take appropriate action.
Figure 5 illustrates a signalling flow associated with this initial PRD process, assuming that all authentications and checks are carried out successfully.
Consider now the case where one of the endpoints, S, detaches from AR(S) and attaches to a new access router, AR(N). It will be appreciated that shortly after the move a repeat of the PRD process between AR(S) and AR(D) will detect this movement, and new group keys will be negotiated [preventing S from launching a man-in-the-middle attack between AS(S) and AR(D)]. S will determine the network prefix of AR(N) and its public key (typically broadcast by the access router in a RtAdv message assuming use of the SeND protocol). S then configures a new fixed (CGA) IP address (CoA) using the network prefix and a static HD. In order to allow S to continue with its ongoing communication with D, S must communicate the new CoA to D. As a first step in this process, S sends a PRR message to AR(N) in order to trigger AR(N) to perform a Prefix Reachability Detection (PRD) test on D's HD. As before, the PRR message carries the key shared between S and D, namely Ksh. This Ksh may be the same key used previously, or it may be a refreshed key. Refreshing could be achieved, for example, by including a counter in the formula used to generate Ksh: Ksh = First[ 128, Hash[ Hash(Ks) | IID(C) | IID(S) | COUNT ] ] where COUNT is equal to zero on the first PRD, then its value is increased by 1 (or more) for each new run. The updated count may need to be sent in the subsequent signaling.
S also includes in the PRR message its static identifier, e.g. HoA or HI, the previously determined DHID and SHID, and its new CoA. The PRR may be piggybacked on a
RtSoI message protected using SeND/OptiSeND. Upon receipt of the PRD message,
AR(N) fetches AR(D) 's public key and IP address from the trusted network server, using D's claimed prefix. AR(N) then determines whether or not it already has a shared
SGKn/DGKn with AR(D). These group keys may exist due to previous communication between hosts located behind AR(N) and AR(D). In the event that no group keys are already shared by the access routers, AR(N) generates a new group key SGKn.
AR(N) then sends an OLPR message to AR(D) and includes in this S's static identifier as well as the CoA, inserted in a new option(s). AR(N) also includes in the OLPR a new group key SGKn, if one was generated, as well as DHID, encrypted with AR(D)'s public key, Kps. DHID will act as a session identifier to D.
Upon receipt of the OLPR at AR(D), AR(D) validates AR(N) using the trusted server and the procedure described above. It then checks for D's presence on the local link at the IID contained within the OLPR, including S's static identifier, CoA and the DHID in the ND message. D uses DHID to fetch the previously negotiated Security Association, including Session keys 1 and 2, and to update its binding cache entries with the new CoA. Assuming that D is present on the local link, it returns Ksh to AR(D), and AR(D) uses this key to authenticate the OLPR as "belonging" to S. D also includes in the ND that it sends to AR(D), the previously used SHID. AR(D) generates a new group key DGKn if necessary, and then updates its binding cache entry with DHID and SHID and the new group keys.
The next step is for AR(D) to send an OLPC to AR(N) in the event that all procedures have been completed successfully, including if necessary DGKn encrypted with AR(S)'s public key. Otherwise AR(D) returns an OLPD denial. In the case that AR(S) receives an OLPC and is able to validate the signature, it sends a PRA to S.
At this stage, S can be confident that D is located within the network that owns the network prefix that D wishes to use, and vice versa. Furthermore, S and D can be confident that they are communicating directly with one another and not via a man-in- the-middle attacker. S and D can begin sending packets to one another using the AOTPE procedure described above.
Figure 7 illustrates schematically a mobile node (S) and an access router suitable for implementing the mobility protocol presented here. Within the MN 1 there is provided a memory 2 for storing DHID, SHID and other required parameters. A functional block 3 performs the AOTPE negotiation with a peer node via the ARs, whilst a functional block 4 is responsible for on-the-fly pad encryption (and decryption) of packets, including incorporating into outgoing packets the appropriate PSN. An interface 14 connects the MN to the AR. Within the access router 5 a database 6 stores all session related data (see Table 2 below), whilst a functional block 7 is responsible for PRD and AOTPE establishment. A further functional block 8 handles on-the-fly IID substitution for incoming and outgoing packets, as well as local network routing based upon DHID and SHID. A first interface 12 connects the AR to the MN, whilst a second interface 13 connects it to the CN. Also illustrated in Figure 7 are correspondent node CN 9, and a CN access router 10. Also illustrated is a trusted server 11. The procedure described above efficiently integrates a prefix reachability test with the IP address anonymisation setup process. The signalling is very efficient as it relieves S from running a care-of address reachability test (which may be susceptible to a spoofing attack) with D, whilst also relieving it from exchanging a BU/BA following the reachability test. Compared to conventional mobility protocols, four end-to-end messages are replaced by two AR-to-AR messages for each IP handoff. The mobile node only has to send a single local (on-link) message to its access router. Of course, efficiency savings are even greater in the (not uncommon) case where the MN is talking to multiple CNs at the same time, as the MN needs to send only a single PRR message to the new access router. As well as improving security, handoff latency is greatly reduced.
It will be appreciated by those of skill in the art that various modifications may be made to the above described embodiments without departing from the scope of the present invention. For example, whilst in the example procedure described above S initiates the PRD test upon moving to a new access router, the PRD procedure may in fact be initiated by D. It will also be appreciated that the invention is applicable to handling multi-homed devices, i.e. devices having multiple parallel interfaces. In this case, the switch from one interface to another is analogous to a mobile node moving from one access router to another.
According to another modification to the procedure described above, it may be desirable to refresh the SHID and DHID at each handoff in order to mask the mobile node's mobility to the correspondent node's access router. In this case, the new access router will just receive a new DHID from the mobile node upon attachment. This DHID is pre-computed by the mobile node and pre-stored by the correspondent node in the corresponding binding cache entry (BCE). In this case, if the mobile node's previous access router and the new one can talk to one another, it becomes difficult for the previous one to know if the same mobile node is now attached to the new access router. This will also make it hard for the access router on the mobile node's side to trace the mobile node when it moves away from its link to a neighbouring access router. On (S) side
On (D) side
Table 1 Public κey{0
Table 2

Claims

Claims
1. A method of re-establishing a session between first and second IP hosts (1,9) attached to respective first and second IP access routers (5,10), the session previously having been conducted via a previous access router to which said first host was attached, and where a security association comprising a shared secret has been established between the hosts, the method comprising: sending a connection request from said first host (1) to said first access router (5), said request containing an IP address claimed by said second host, a new care-of-address for the first host, and a session identifier; at said first access router (1), upon receipt of said connection request, obtaining a verified IP address for said second access router (9) and sending an on link presence request to the second access router, the request containing at least an Interface Identifier part of the second host's claimed IP address, said care-of- address, and said session identifier; at said second access router (10), confirming that said second host is attached to the second access router using the claimed Interface Identifier including sending to the second host said care-of-address and said session identifier, and reporting the presence status to said first access router; at said second host, using said session identifier to identify said security association, and updating the binding cache entry for said first host with the new care-of-address.
2. A method according to claim 1 and comprising, at said first router (5), obtaining together with said verified IP address, a public key of said second access router (10), and authenticating the presence status report sent by the second access router using said public key.
3. A method according to any one of the preceding claims, wherein verified IP address for said second access router (10) is retrieved by the first access router (5) from a trusted network server (11).
4. A method according to any one of the preceding claims and comprising, following receipt of said on link presence request at said second access router (10), obtaining a public key of said first access router (5), and authenticating the request with that key.
5. A method according to claim 4, wherein said public key of the first access router (5) is retrieved by the second access router (10) from a trusted network server (11).
6. A method according to any one of the preceding claims, said connection request being carried in a router solicitation message.
7. A method according to any one of the preceding claims, wherein said care-of- address and said session identifier are sent from the second access router (10) to the second host (9) in a Neighbour Discovery message.
8. A method according to claim 7 and comprising including in said connection request a secret key shared between the first and second hosts and associated with said security association, said secret key also being included in a Neighbour Discover response sent from said second host (9) to said second access router (10), the secret key being used by the access routers to authenticate the presence status report.
9. A method according to any one of the preceding claims, wherein said care-of- address is a cryptographically generated IPv6 address and said connection request is signed with the first host's private key and verified at the first access router (5) using the corresponding public key.
10. A method according to claim 8, wherein said IP address claimed by the second host (9) is a cryptographically generated IPv6 address and said Neighbour Discovery response is signed with the second host's private key and verified at the second access router (10) using the corresponding public key.
11. A method according to any one of the preceding claims, wherein said first and second access routers (5,10) share a pair of group keys that are subsequently used by the routers to generate anonymised Interface Identifiers for use in the source and destination IPv6 addresses of the first and second hosts (1,9).
12. A method according to claim 11, wherein, in the event that said group keys are not shared by the access routers (5,10) prior to receipt by the first access router of said connection request, the keys are generated at respective hosts (1,9) and exchanged by the hosts.
13. A method according to claim 12, wherein a first group key SGKn is generated by said first access router (5) upon receipt of the connection request from the first host (1) and is included in the on link presence request sent to the second access router (10), and a second group key DGKn is generated by the second access router (10) upon confirmation that the second host (9) is attached to the second access router at its claimed IP address and is included in the presence status report sent to the first access router.
14. An access router for use in an IP communication network and comprising: an input (12) for receiving from a mobile node (1) an attachment request, the request containing a care-of-address acquired by the mobile node, an IPv6 address claimed by a correspondent node (9) of the mobile node, and a session identifier; first processing means (7) for obtaining a validated IP address for a peer access router (10) behind which the correspondent node should be located; output means (13) for forwarding an on link presence request to said peer access router using said validated IP address and containing said care-of-address, the claimed IPv6 address, and said session identifier.
15. An access router for use in an IP communication network and comprising: an input (13) for receiving from a peer access router an on link presence request containing a care-of-address acquired by a mobile node located behind said peer access router, an IPv6 address claimed by a correspondent node and containing an Interface Identifier part belonging to the access router, and a session identifier; processing means (7) for confirming that said correspondent node is present on the local link including means for sending said care-of-address and said session identifier to said correspondent node; and output means (12) for reporting a link status to said peer access router.
16. A mobile node for use in an IP communication network and comprising: processing means for establishing a session with a correspondent node, said session comprising one or more security associations and a session identifier identifying the session; attachment means for detaching from a previous access router and for attaching to a new access router and arranged to send an attachment request to the new access router, the attachment request containing an IPv6 address of said correspondent node, a care-of-address claimed by said correspondent node, said session identifier, and a prefix reachability request in respect of the Interface
Identifier part of the correspondent node's claimed IP address; input means for receiving reachability confirmation in respect of said claimed IP address from said access router; and packet processing means for exchanging packets with said correspondent node following receipt of said confirmation.
EP08724217.8A 2008-03-12 2008-03-12 Re-establishment of a security association Not-in-force EP2253120B1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SE2008/050270 WO2009113921A1 (en) 2008-03-12 2008-03-12 Re-establishment of a security association

Publications (3)

Publication Number Publication Date
EP2253120A1 true EP2253120A1 (en) 2010-11-24
EP2253120A4 EP2253120A4 (en) 2012-05-30
EP2253120B1 EP2253120B1 (en) 2018-02-28

Family

ID=41065454

Family Applications (1)

Application Number Title Priority Date Filing Date
EP08724217.8A Not-in-force EP2253120B1 (en) 2008-03-12 2008-03-12 Re-establishment of a security association

Country Status (4)

Country Link
US (1) US8918522B2 (en)
EP (1) EP2253120B1 (en)
CN (1) CN101965722B (en)
WO (1) WO2009113921A1 (en)

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009099358A1 (en) * 2008-02-08 2009-08-13 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for use in a communications network
US20100095117A1 (en) * 2008-10-15 2010-04-15 Shebanow Michael C Secure and positive authentication across a network
US8918835B2 (en) * 2010-12-16 2014-12-23 Futurewei Technologies, Inc. Method and apparatus to create and manage virtual private groups in a content oriented network
US9021104B2 (en) * 2011-02-28 2015-04-28 Futurewei Technologies, Inc. System and method for mobility management in a wireless communications system
JP5741150B2 (en) * 2011-04-04 2015-07-01 富士通株式会社 Relay device, relay program, and relay method
US9479344B2 (en) * 2011-09-16 2016-10-25 Telecommunication Systems, Inc. Anonymous voice conversation
KR101240552B1 (en) * 2011-09-26 2013-03-11 삼성에스디에스 주식회사 System and method for managing media keys and for transmitting/receiving peer-to-peer messages using the media keys
US9075953B2 (en) * 2012-07-31 2015-07-07 At&T Intellectual Property I, L.P. Method and apparatus for providing notification of detected error conditions in a network
US9027114B2 (en) * 2013-03-12 2015-05-05 Cisco Technology, Inc. Changing group member reachability information
US9825759B2 (en) * 2013-07-08 2017-11-21 Alcatel Lucent Secure service management in a communication network
US9503476B2 (en) 2014-01-28 2016-11-22 Vivint, Inc. Anti-takeover systems and methods for network attached peripherals
EP3190747B1 (en) * 2016-01-08 2018-11-14 Apple Inc. Secure wireless communication between controllers and accessories
US10540652B2 (en) * 2016-11-18 2020-01-21 Intel Corporation Technology for secure partitioning and updating of a distributed digital ledger
US10880280B2 (en) * 2017-02-22 2020-12-29 Network Next, Inc. Methods of bidirectional packet exchange over nodal pathways
US10530658B2 (en) * 2017-05-12 2020-01-07 Dell Products, L.P. Discovery of system with unique passwords by management console
US10841283B2 (en) * 2017-07-17 2020-11-17 Futurewei Technologies, Inc. Smart sender anonymization in identity enabled networks
CN109831313B (en) * 2019-03-19 2021-02-26 全链通有限公司 Group communication method, apparatus and computer-readable storage medium
CN110224980B (en) * 2019-05-05 2020-10-27 清华大学 Credible MPTCP transmission method and system
US11784970B2 (en) 2021-06-29 2023-10-10 Cisco Technology, Inc. First hop security in multi-site multi-vendor cloud

Family Cites Families (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3739260B2 (en) * 2000-08-24 2006-01-25 株式会社日立製作所 Information distribution system and gateway device
AU2002216062A1 (en) * 2001-11-27 2003-06-10 Nokia Corporation Transmission of a binding update message indicating a care of address for delivering data packets to a mobile node via a unidirectional interface
US20030211842A1 (en) * 2002-02-19 2003-11-13 James Kempf Securing binding update using address based keys
US7380124B1 (en) * 2002-03-28 2008-05-27 Nortel Networks Limited Security transmission protocol for a mobility IP network
JP3990976B2 (en) * 2002-12-19 2007-10-17 株式会社エヌ・ティ・ティ・ドコモ Mobile node, mobility control device, communication control method, and communication system
JP4480963B2 (en) * 2002-12-27 2010-06-16 富士通株式会社 IP connection processing device
US7505432B2 (en) * 2003-04-28 2009-03-17 Cisco Technology, Inc. Methods and apparatus for securing proxy Mobile IP
JP4177377B2 (en) * 2003-08-29 2008-11-05 富士通株式会社 Communication control system
JP4438510B2 (en) * 2004-05-25 2010-03-24 株式会社日立製作所 COMMUNICATION SYSTEM AND COMMUNICATION CONTROL DEVICE
US7509491B1 (en) * 2004-06-14 2009-03-24 Cisco Technology, Inc. System and method for dynamic secured group communication
US7843871B2 (en) * 2004-12-21 2010-11-30 International Business Machines Corporation Method of reestablishing communication by a mobile node upon recovery from an abrupt shut down
US20060149814A1 (en) * 2004-12-30 2006-07-06 Utstarcom, Inc. Method and apparatus for presence status facilitation by an access gateway in a mobile communications system
JP4595619B2 (en) * 2005-03-28 2010-12-08 パナソニック株式会社 Mobile router, home agent, and terminal location management method
US20090031130A1 (en) * 2005-04-28 2009-01-29 Matsushita Electric Industrial Co., Ltd. System, associated methods and apparatus for securing prefix-scoped binding updates
JP4616732B2 (en) * 2005-09-02 2011-01-19 株式会社日立製作所 Packet transfer device
US20070113075A1 (en) * 2005-11-10 2007-05-17 Ntt Docomo, Inc. Secure route optimization for mobile network using multi-key crytographically generated addresses
CN101001261B (en) * 2006-01-09 2010-09-29 华为技术有限公司 Communication method of MIPv6 moving node
EP1826958A1 (en) * 2006-02-28 2007-08-29 Matsushita Electric Industrial Co., Ltd. Route optimization with location privacy support
US20070254677A1 (en) * 2006-05-01 2007-11-01 Motorola, Inc. Method and system to enable paging for mobile ip nodes
KR101051548B1 (en) * 2007-06-11 2011-07-22 후지쯔 가부시끼가이샤 Mobile communication system, location registration method, terminal and home agent
US8060086B1 (en) * 2007-11-02 2011-11-15 Sprint Spectrum L.P. Method and apparatus for processing mobile-IP registration requests

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
HADDAD ARCHITECTURE (SAVA) M NASLUND ERICSSON RESEARCH C VOGT ERICSSON RESEARCH NOMADIC LAB W: "Enabling Source Address Verification via Prefix Reachability Detection; draft-haddad-sava-prefix-reachability-dete ction-00.txt", 20070701, 1 July 2007 (2007-07-01), XP015050975, ISSN: 0000-0004 *
HADDAD S KRISHNAN ERICSSON RESEARCH H SOLIMAN QUALCOMM-FLARION W: "Using Cryptographically Generated Addresses (CGA) to secure HMIPv6 Protocol (HMIPv6sec); draft-haddad-mipshop-hmipv6-security-06.tx t", 20060807, no. 6, 7 August 2006 (2006-08-07), XP015046572, ISSN: 0000-0004 *
HADDAD S KRISHNAN ERICSSON RESEARCH J CHOI SAMSUNG AIT J LAGANIER DOCOMO EURO-LABS W: "Secure Neighbor Discovery (SeND) Optimizations: The OptiSeND Protocol; draft-haddad-mipshop-optisend-03.txt", 20070709, no. 3, 9 July 2007 (2007-07-09), XP015050974, ISSN: 0000-0004 *
See also references of WO2009113921A1 *

Also Published As

Publication number Publication date
EP2253120A4 (en) 2012-05-30
CN101965722B (en) 2013-06-26
US8918522B2 (en) 2014-12-23
EP2253120B1 (en) 2018-02-28
US20110035585A1 (en) 2011-02-10
CN101965722A (en) 2011-02-02
WO2009113921A1 (en) 2009-09-17

Similar Documents

Publication Publication Date Title
US8918522B2 (en) Re-establishment of a security association
US8549294B2 (en) Securing home agent to mobile node communication with HA-MN key
US7881468B2 (en) Secret authentication key setup in mobile IPv6
US20030211842A1 (en) Securing binding update using address based keys
US7155500B2 (en) IP address ownership verification mechanism
US8447979B2 (en) Method and apparatus for binding update between mobile node and correspondent node
Deng et al. Defending against redirect attacks in mobile IP
JP2009516435A (en) Secure route optimization for mobile networks using multi-key encryption generated addresses
JP4585002B2 (en) High-speed network connection mechanism
JP5159878B2 (en) Method and apparatus for combining internet protocol authentication and mobility signaling
JP5250634B2 (en) Method and apparatus for use in a mobile communication network
WO2008034368A1 (en) A method, system, mobile node and correspondent node for generating the binding management key
US7502932B2 (en) Return routability method for secure communication
CA2714280A1 (en) Method and apparatus for use in a communications network
CN1741523B (en) Key exchange protocol method for realizing main machine transferability and multi-home function
US20120110144A1 (en) Cryptographically generated addresses using backward key chain for secure route optimization in mobile internet protocol
Qiu et al. Protecting all traffic channels in Mobile IPv6 network
Kavitha et al. Security analysis of binding update protocols in route optimization of MIPv6
Al Hawi et al. Secure framework for the return routability procedure in MIPv6
Qiu et al. Authenticated binding update in Mobile IPv6 networks
Rathi et al. A Secure and Fault tolerant framework for Mobile IPv6 based networks
Modares et al. Protection of binding update message in Mobile IPv6
Mononen et al. Location Privacy in Mobile IPv6.
Liu et al. Local key exchange for mobile IPv6 local binding security association
Jo et al. Secure Route Optimization for Network Mobility Using Secure Address Proxying

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20100922

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL BA MK RS

DAX Request for extension of the european patent (deleted)
A4 Supplementary search report drawn up and despatched

Effective date: 20120426

RIC1 Information provided on ipc code assigned before grant

Ipc: H04W 80/04 20090101ALN20120420BHEP

Ipc: H04W 12/02 20090101AFI20120420BHEP

Ipc: H04W 12/04 20090101ALI20120420BHEP

Ipc: H04W 12/12 20090101ALN20120420BHEP

Ipc: H04L 29/06 20060101ALI20120420BHEP

17Q First examination report despatched

Effective date: 20150825

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Ref document number: 602008054201

Country of ref document: DE

Free format text: PREVIOUS MAIN CLASS: H04L0029060000

Ipc: H04W0012020000

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

RIC1 Information provided on ipc code assigned before grant

Ipc: H04W 12/12 20090101ALN20170928BHEP

Ipc: H04W 12/04 20090101ALI20170928BHEP

Ipc: H04W 36/00 20090101ALN20170928BHEP

Ipc: H04W 76/04 20090101ALN20170928BHEP

Ipc: H04L 29/06 20060101ALI20170928BHEP

Ipc: H04W 12/02 20090101AFI20170928BHEP

Ipc: H04W 80/04 20090101ALN20170928BHEP

Ipc: H04W 8/08 20090101ALN20170928BHEP

INTG Intention to grant announced

Effective date: 20171016

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 975406

Country of ref document: AT

Kind code of ref document: T

Effective date: 20180315

REG Reference to a national code

Ref country code: NL

Ref legal event code: FP

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602008054201

Country of ref document: DE

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 975406

Country of ref document: AT

Kind code of ref document: T

Effective date: 20180228

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180528

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180529

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180528

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602008054201

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20180331

REG Reference to a national code

Ref country code: IE

Ref legal event code: MM4A

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180312

RIC2 Information provided on ipc code assigned after grant

Ipc: H04W 12/02 20090101AFI20170928BHEP

Ipc: H04W 36/00 20090101ALN20170928BHEP

Ipc: H04W 76/04 20181130ALN20170928BHEP

Ipc: H04W 12/12 20090101ALN20170928BHEP

Ipc: H04W 80/04 20090101ALN20170928BHEP

Ipc: H04L 29/06 20060101ALI20170928BHEP

Ipc: H04W 12/04 20090101ALI20170928BHEP

Ipc: H04W 8/08 20090101ALN20170928BHEP

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180312

26N No opposition filed

Effective date: 20181129

RIC2 Information provided on ipc code assigned after grant

Ipc: H04W 80/04 20090101ALN20170928BHEP

Ipc: H04L 29/06 20060101ALI20170928BHEP

Ipc: H04W 76/04 20090101ALN20170928BHEP

Ipc: H04W 12/12 20090101ALN20170928BHEP

Ipc: H04W 12/02 20090101AFI20170928BHEP

Ipc: H04W 12/04 20090101ALI20170928BHEP

Ipc: H04W 36/00 20090101ALN20170928BHEP

Ipc: H04W 8/08 20090101ALN20170928BHEP

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180331

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180331

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180331

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180428

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180312

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20200327

Year of fee payment: 13

Ref country code: NL

Payment date: 20200326

Year of fee payment: 13

Ref country code: DE

Payment date: 20200327

Year of fee payment: 13

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20080312

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180228

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180628

REG Reference to a national code

Ref country code: DE

Ref legal event code: R119

Ref document number: 602008054201

Country of ref document: DE

REG Reference to a national code

Ref country code: NL

Ref legal event code: MM

Effective date: 20210401

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20210312

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210401

Ref country code: GB

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210312

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20211001